You are on page 1of 16


To map the Signalling System No. 7 framework on the Open System Interconnection (OSI)

To learn the GSM Protocol stack and its implementation in Radio Technology.

To simulate a Call set-up between two users and the signalling protocol.

To understand the processes that take place during a call setup.

Signalling System No. 7 (SS7) is a set of telephony signalling protocols developed in 1975,
which is used to set up and tear down most of the world's public switched telephone network
(PSTN) telephone calls. It also performs a number of translation, local number portability,
prepaid billing, short message service (SMS), and other mass market services

The OSI (Open System Interconnection) model defines a networking framework for implementing
protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in
one station, and proceeding to the bottom layer, over the channel to the next station and back up the

GSM architecture is a layered model that is designed to allow communications between two different
systems. Each layer passes suitable notifications to ensure the transmitted data has been formatted,
transmitted, and received accurately.

In this lab, we will focus on integrating the models into one and learn how they all come into play when
the call set-up process is in progress. This will create an evident relationship between the SS7 Model, the
OSI model and the GSM architecture as they collaborate to make the call between party A and B a
The display showed 1 to indicate MS1. The progressive key was pressed several times to set the trainer
in that condition.

Button 2 was pressed so that MS1 called MS2.

The RING indicator of the user 2 started to blink, which indicated that the handling-in of the call and the
buzzer would ring with the same rhythm.

Pressing the button ANSWER of the user 2 accepted and enabled the call.

The connect LEDs of the users 1 and 2 were on to indicate the enabling of the call.

The indication of the connection phases on the display was observed.

The user 1 sent the tone of 2kHz that could be adjusted with its own level control, to the user 2.

The user 2 sent the tone of 1.6kHz that could be adjusted with its own level control, to the user 1.

An oscilloscope was then used to analyze the signal.

The signal sent by MS1 on TP12 (2kHz, max 1.5 Vpp) and the same signal received by MS2 on TP11
(2kHz, max 1.5 Vpp) were checked.

The signal sent by MS2 on TP10 (1.6kHz, max 1.5 Vpp) and the same signal received by MS2 on TP13
(1.6kHz, max 1.5 Vpp) were checked.

The modulating signal MOD, (TP25, 2 Vpp, period of 125μs) that used a channel coding HDB3, was then

The above signal was used, in TP16 (5v, 8kHz) that was the frame sink TS0, as the sink signal.

The demodulated signal DEMOD (TP26, 0.5 Vpp), that uses the channel coding HDB3, was observed.

The frequency of the transmission and the reception channel was changed, and the loss of the received
signal was observed: an FDM was simulated.

An observation of how the received signals changed as the parameters of RF channel: NOISE and
ATTENUATOR are modified was then done.
Description of OSI layers

OSI Model
Layer Protocol Function
data unit
Host 7. Application Data High-level APIs, including resource sharing, remote file
layers access
6. Presentation Translation of data between a networking service and an
application; including character encoding, data
compression and encryption/decryption
5. Session Managing communication sessions, i.e. continuous
exchange of information in the form of multiple back-
and-forth transmissions between two nodes
4. Transport Segment Reliable transmission of data segments between points
(TCP) / on a network, including segmentation,
Datagram acknowledgement and multiplexing
Media 3. Network Packet Structuring and managing a multi-node network,
layers including addressing, routing and traffic control
2. Data link Frame Reliable transmission of data frames between two nodes
connected by a physical layer
1. Physical Bit Transmission and reception of raw bit streams over a
physical medium
At each level N, two entities at the communicating devices (layer N peers) exchange protocol
data units (PDUs) by means of a layer N protocol. Each PDU contains a payload, called the
service data unit (SDU), along with protocol-related headers or footers.

Data processing by two communicating OSI-compatible devices is done as such:

The data to be transmitted is composed to be at the topmost layer of the transmitting device
(layer N) into a (PDU).

The PDU is passed to layer N-1, where it is known as the service data network.

At layer N-1 the SDU is concatenated with a header, footer, or both, producing a layer N-1. It is
then passed to layer N-2.

The process continues until reaching the lowermost level, from which the data is transmitted to
the receiving device.

At the receiving device the data is passed from the lowest to the highest layer as a series of SDUs
while being successively stripped from each layer's header or footer, until reaching the topmost
layer, where the last of the data is consumed.

Layer 1: Physical Layer

The physical layer defines the electrical and physical specifications of the data connection. It
defines the relationship between a device and a physical transmission medium (for example, an
electrical cable, an optical fiber cable, or a radio frequency link). This includes the layout of pins,
voltages, line impedance, cable specifications, signal timing and similar characteristics for
connected devices and frequency (5 GHz or 2.4 GHz etc.) for wireless devices. It is responsible
for transmission and reception of unstructured raw data in a physical medium. Bit rate control is
done at the physical layer. It may define transmission mode as simplex, half duplex, and full
duplex. It defines the network topology as bus, mesh, or ring being some of the most common.

Layer 2: Data Link Layer

The data link layer provides node-to-node data transfer—a link between two directly connected
nodes. It detects and possibly corrects errors that may occur in the physical layer. It defines the
protocol to establish and terminate a connection between two physically connected devices. It
also defines the protocol for flow control between them.

IEEE 802 divides the data link layer into two sub layers:

Medium access control (MAC) layer – responsible for controlling how devices in a network gain
access to a medium and permission to transmit data.

Logical link control (LLC) layer – responsible for identifying and encapsulating network layer
protocols, and controls error checking and frame synchronization.

The MAC and LLC layers of IEEE 802 networks such as 802.3Ethernet, 802.11Wi-Fi, and
802.15.4ZigBee operate at the data link layer.

Layer 3: Network Layer

The network layer provides the functional and procedural means of transferring variable length
data sequences (called datagrams) from one node to another connected in "different networks". A
network is a medium to which many nodes can be connected, on which every node has an
address and which permits nodes connected to it to transfer messages to other nodes connected to
it by merely providing the content of a message and the address of the destination node and
letting the network find the way to deliver the message to the destination node, possibly routing
it through intermediate nodes.

Layer 4: Transport Layer

The transport layer provides the functional and procedural means of transferring variable-length
data sequences from a source to a destination host via one or more networks, while maintaining
the quality of service functions.

An example of a transport-layer protocol in the standard Internet stack is Transmission Control

Protocol (TCP), usually built on top of the Internet Protocol (IP).

Layer 5: Session Layer

The session layer controls the dialogues (connections) between computers. It establishes,
manages and terminates the connections between the local and remote application. It provides for
full-duplex, half-duplex, or simplex operation, and establishes check pointing, adjournment,
termination, and restart procedures.

Layer 6: Presentation Layer

The presentation layer establishes context between application-layer entities, in which the
application-layer entities may use different syntax and semantics if the presentation service
provides a mapping between them. If a mapping is available, presentation service data units are
encapsulated into session protocol data units and passed down the protocol stack.

This layer provides independence from data representation by translating between application
and network formats. The presentation layer transforms data into the form that the application
accepts. This layer formats data to be sent across a network.

Layer 7: Application Layer

The application layer is the OSI layer closest to the end user, which means both the OSI
application layer and the user interact directly with the software application. This layer interacts
with software applications that implement a communicating component. Such application
programs fall outside the scope of the OSI model. Application-layer functions typically include
identifying communication partners, determining resource availability, and synchronizing

The SS7 protocol stack

SS7 is structured in a multi-layered stack which corresponds closely to the layers of the standard OSI
model, although some SS7 components span a number of layers, as illustrated in here.

The SS7 component parts are:

Layer 1 (Physical): MTP-1 (Message Transfer Part-1)

MTP-1 defines the physical means by which SS7 messages are transferred from one node to another. For
E1 or T1 networks, the physical layer is usually a timeslot of an E1 or T1 frame respectively.
The physical layer specifies only how a sequence of bits is conveyed from one SS7 node to another. It
says nothing about the actual meaning of the bits or how they are grouped together to form a message.

Layer 2 (Data Link): MTP-2

MTP–2 defines how an MTP-1 bit transfer mechanism is used to reliably pass variable
length messages from one SS7 node to another. MTP-2 uses a variant of the High level Data
Link Control (HDLC) used in most modern data transfer protocols. This uses a delimiter to
define the start and end of a data frame, prevents flags occurring in a frame (bit-stuffing) and
protection for the entire frame (CRC at the end). It also defines how CRC errors are handled (by
error response and retransmission).

MTP-2 says nothing about the actual content of a message. It simply defines a mechanism by which a
message of any length can be sent 100% reliably between SS7 nodes and can be used by higher layers of
the SS7 protocol.

MTP-2 knows nothing beyond the single point-to-point link it operates on.

Layer 3 (Network Layer): MTP–3

MTP-3 builds on top of the lower-level MTP layers to allow the creation of a network of telephony
network nodes interconnected by SS7 links. Each node is assigned a unique address in the network
(known as a Signaling Point Code or SPC). Messages can be sent at the MTP-3 level in one node to a
topologically distant node (that is with one or more intermediate SS7 nodes) simply by specifying the
Destination Point Code (DPC). MTP-3 entities on the SPC node, the DPC node, and all intermediate
nodes coordinate the transfer of a higher-layer message through the network.

MTP-3 can use multiple parallel routes from SPC to DPC through the network to take account of link
loading and availability (there should always be more than one way to get from any SPC to any DPC).

Upper Layers: TUP (Telephone User Part)

The Telephone User Part (TUP) is used to set up a telephone call between two SS7 nodes. It defines a set
of messages and a protocol using these messages that allows a telephone call to be set up and torn

TUP messages flow only immediately before a call is established and then immediately before it is
Upper Layers: ISUP (Integrated Services User Part)

The ISUP performs the same function as the TUP (that is, it handles the setup and tear-down of
telephone calls) but it is much more sophisticated providing function available with primary rate ISDN.
This includes calling and called number notification (or suppression), the ability to control billing
(charging) rates, advanced telephony functions such as transfer, and control over whether the voice
channel is used for voice, fax, or data.

Upper layers: SCCP (Signaling Connection Control Part)

The SCCP runs above the MTP layers and provides a set of facilities similar to those provided by the UDP
and TCP layers of TCP/IP. Specifically, SCCP provides five classes of service such as connectionless (like
UDP) and connection-oriented (like TCP) with options of error recovery and flow control. It also provides
what is known in SS7 as Global Title Translation.

Upper layers: TCAP (Transaction Capabilities Application Part)

The TCAP is designed to implement functions in the SS7 network which are unrelated to the origination
and termination of actual telephone calls. TCAP provides a means by which information can be
transferred from an application at a switch location to another application in another network entity.

One example of TCAP usage is number translation and database transactions and lookup.

Upper layers: MAP (Mobile Application Part)

Mobile Application Part (MAP) is the most complex SS7 component and is used in GSM mobile
telephone systems to pass information between the components of the network.

Upper layers: INAP (Intelligent Network Application Part)

The Intelligent Network Application Part (INAP) is used to implement services within a network, which
involve accesses to an SCP and might also involve the use of an Intelligent Peripheral (IP). INAP messages
are sent between network entities using TCAP transactions.

Upper layers: OMAP (Operations and Administration Application Part)

The OMAP is typically used by a network administration facility to control an entire network
from a central point. Facilities provided in OMAP include administration of system databases,
maintenance access and performance monitoring.

GSM (Global System for Mobile Communications, is a standard developed by the European
Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation
digital cellular networks used by mobile devices such as tablets, first deployed in Finland in
December 1991

GSM is a second-generation (2G) standard employing time-division multiple-Access (TDMA) spectrum-

sharing, issued by the European Telecommunications Standards Institute (ETSI). The GSM standard does
not include the 3G Universal Mobile Telecommunications System (UMTS) code division multiple access
(CDMA) technology nor the 4G LTE orthogonal frequency-division multiple access (OFDMA) technology
standards issued by the 3GPP.

Technical details

Network structure

The network is structured into a number of discrete sections:

Base station subsystem – the base stations and their controllers explained

Network and Switching Subsystem – the part of the network most similar to a fixed network,
sometimes just called the "core network"

GPRS Core Network – the optional part which allows packet-based Internet connections

Operations support system (OSS) – network maintenance

Base station subsystem

Main article: Base station subsystem

GSM cell site antennas

GSM is a cellular network, which means that cell phones connect to it by searching for cells in the
immediate vicinity. There are five different cell sizes in a GSM network—macro, micro, pico, femto, and
umbrella cells. The coverage area of each cell varies according to the implementation environment.
Macro cells can be regarded as cells where the station antenna is installed on a mast or a building above
average rooftop level. Micro cells are cells whose antenna height is under average rooftop level; they
are typically used in urban areas. Pico cells are small cells whose coverage diameter is a few dozen
meters; they are mainly used indoors. Femtocells are cells designed for use in residential or small
business environments and connect to the service provider’s network via a broadband internet
connection. Umbrella cells are used to cover shadowed regions of smaller cells and fill in gaps in
coverage between those cells.Indoor coverage is also supported by GSM and may be achieved by using
an indoor picocell base station, or an indoor repeater with distributed indoor antennas fed through
power splitters, to deliver the radio signals from an antenna outdoors to the separate indoor distributed
antenna system. These are typically deployed when significant call capacity is needed indoors, like in
shopping centers or airports. However, this is not a prerequisite, since indoor coverage is also provided
by in-building penetration of the radio signals from any nearby cell.

Subscriber Identity Module (SIM)

One of the key features of GSM is the Subscriber Identity Module, commonly known as a SIM card. The
SIM is a detachable smart card containing the user's subscription information and phone book. This
allows the user to retain his or her information after switching handsets. Alternatively, the user can also
change operators while retaining the handset simply by changing the SIM. Some operators will block this
by allowing the phone to use only a single SIM, or only a SIM issued by them; this practice is known as
SIM locking.

Phone locking

Sometimes mobile network operators restrict handsets that they sell for use with their own network.
This is called locking and is implemented by a software feature of the phone. A subscriber may usually
contact the provider to remove the lock for a fee, utilize private services to remove the lock, or use
software and websites to unlock the handset themselves. It is possible to hack past a phone locked by a
network operator.

GSM security

GSM was intended to be a secure wireless system. It has considered the user authentication using a pre-
shared key and challenge-response, and over-the-air encryption. However, GSM is vulnerable to
different types of attack, each of them aimed at a different part of the network.[21]
The development of UMTS introduced an optional Universal Subscriber Identity Module (USIM), that
uses a longer authentication key to give greater security, as well as mutually authenticating the network
and the user, whereas GSM only authenticates the user to the network (and not vice versa). The security
model therefore offers confidentiality and authentication, but limited authorization capabilities, and no

GSM uses several cryptographic algorithms for security. The A5/1, A5/2, and A5/3stream ciphers are
used for ensuring over-the-air voice privacy.

Radio technology

Radio technology, transmission and detection of communication signals consisting of

electromagnetic waves that travels through the air in a straight line or by reflection from the
ionosphere or from a communications satellite.

Mechanism of wave propagation

A radio wave is made up of electric and magnetic fields vibrating mutually at right angles to each other
in space. When these two fields are operating synchronously in time, they are said to be in time phase;
i.e., both reach their maxima and minima together and both go through zero together. As the distance
from the source of energy increases, the area over which the electric and magnetic energy is spread is
increased, so that the available energy per unit area is decreased. Radio signal intensity, like light
intensity, decreases as the distance from the source increases.

Modulators and demodulators

A carrier wave is a radio-frequency wave that carries information. The information is attached to the
carrier wave by means of a modulation process that involves the variation of one of the carrier-
frequency characteristics, such as its amplitude, its frequency, or its duration. (All of these processes are
discussed in greater detail in the article telecommunication system.)

In amplitude modulation the information signal varies the amplitude of the carrier wave, a process that
produces a band of frequencies known as sidebands on each side of the carrier frequency. These
sidebands (a pair to each modulation frequency) cover a range of frequencies equal to the sum and
difference between the carrier frequency and the information signal.
Frequency modulation involves varying the frequency (the number of times the wave passes through a
complete cycle in a given period of time, measured as cycles per second) of the carrier in accordance
with the amplitude of the information signal. The amplitude of the carrier wave is unaffected by the
variation; only its frequency changes. Frequency modulation produces more (often many more) than
one pair of side frequencies for each modulation frequency.

The ionosphere

An English mathematician, Oliver Heaviside, and a U.S. electrical engineer, Arthur Edwin Kennelly,
almost simultaneously predicted in 1902 that radio waves, which normally travel in straight lines, are
returned to Earth when projected skyward because electrified (ionized) layers of air above the Earth (the
ionosphere) reflect or refract (bend) them back to Earth, thus extending the range of a transmitter far
beyond line of sight. In 1923 the suggestion was proved to be accurate when pulses of radio energy
were transmitted vertically upward and returning pulses were received back from the reflecting layer.
By measuring the time between the outgoing and returning pulses, it was possible to estimate the
height and number of layers. Three layers can normally be distinguished at distances from 50 to about
400 kilometers (30 to 250 miles) above the Earth’s surface. The layers result from a breakdown of gas
atoms into positively charged ions and free electrons caused by energy radiated from the Sun. The
electrons maintain a separate existence in the lower layers for as long as the Sun’s energy is being
received, and in the upper layers some can remain free throughout the hours of darkness.

The three layers are designated D, E, and F. The D layer is approximately 80 kilometers (50 miles) high
and exists only during daylight hours

Radio noise, fading, and interference

Any sudden discharge of electrical energy, like that of lightning, produces transient (short-duration)
radio-frequency waves, which are picked up by antennas. These packets of radio-frequency energy
produce the crackle heard on an amplitude-modulated radio receiver when an electrical storm is nearby
and may be classed as natural noise.

Switching of high-voltage power lines can produce similar effects; the lines help to carry the noise-
producing signals over long distances. Local switching of lights and electrical machinery can also produce
the familiar crackle when the receiver is close to the noise-producing source. These sources are classed
as man-made noise.
Generally noise of both types’ decreases as the frequency is increased. An exception is automobile
ignition noise, which produces maximum effect in the very-high-frequency range, causing a sound in
nearby loudspeakers every time a spark plug fires. Many countries have legislation requiring the
suppression of man-made noise by means of filters that reduce the amount of radio-frequency energy
released at the source. Metallic shielding of leads to and from the noise source curtails the radiated
interference. It is also possible to install various noise-reducing devices at the input to radio receivers.

Call Setup

Different procedures are necessary depending on the initiating and terminating party:

Mobile Originating Call MOC: Call setup, which are initiated by an MS

Mobile Terminating Call MTC: Call setup, where an MS is the called party

Mobile Mobile Call MMC: Call setup between two mobile subscribers; MMC thus consists of
the execution of a MOC and a MTC one after the other.

Mobile Internal Call MIC: a special case of MMC; both MSs are in the same MSC area,
possibly even in the same cell.

Mobile Originating Call MOC

1. Channel Request: The MS requests for the allocation of a dedicated signaling channel to
perform the call setup.

2. After allocation of a signaling channel the request for MOC call setup, included the TMSI
(IMSI) and the last LAI, is forwarded to the VLR

3. The VLR requests the AC via HLR for Triples (if necessary).

4. The VLR initiates Authentication, Cipher start, IMEI check (optional) and TMSI Re-
allocation (optional).

5. If all this procedures have been successful, MS sends the Setup information (number of
requested subscriber and detailed service description) to the MSC.
6. The MSC requests the VLR to check from the subscriber data whether the requested service
an number can be handled (or if there are restrictions which do not allow further proceeding of
the call setup)

7. If the VLR indicates that the call should be preceded, the MSC commands the BSC to assign a
Traffic Channel (i.e. resources for speech data transmission) to the MS

8. The BSC assigns a Traffic Channel TCH to the MS

9. The MSC sets up the connection to requested number (called party).

Remark: This MOC as well as the MTC described in the following describes only the principles
of an MOC / MTC, not the detailed signaling flow.


Fig 1
The figure(fig 1) above shows the signal when connection is established between node 1 node and 2
note the signal has uniform frequency.

This shows that there is no data being carried over the channel as of yet.

Fig 2

The above shows the signal after modulation occurs, the signaling information is passed through the
channel this explains the shape in the. Voice is also carried through the same channel. This happens on
the TP16-TP25 connection.

Martoin Sauter (23 June 2014).From GSM to LTE-advanced: Introduction to mobile networks
and mobile broadband (second edition)

Redl, Siegmund M; Weber, Matthias K (April 1998).GSM and personal communications